Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-41241

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

Published

2022-03-08T19:15:07.927

Last Modified

2024-11-21T06:25:51.403

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

8.0

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-863
  • Type: Primary
    CWE-862
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application nextcloud nextcloud_server < 20.0.14 Yes
Application nextcloud nextcloud_server < 21.0.6 Yes
Application nextcloud nextcloud_server 22.2.0 Yes
References